Saturday 21 January 2017

Understanding FSMO role in active directory and impact when unavailable

Or, FSMO Roles in AD (Active Directory) – Explained
Or, Active Directory FSMO Roles Explained
Or, FSMO roles functions and impact when unavailable

Descriptions: FSMO stands for Flexible Single Master Operation. FSMO roles are one of the critical component of Active Directory which helps a large Active Directory domain environment to be managed in an efficient way in terms of internal communication, availability, accessibility and replications.

FSMO have 5 roles and these roles are categorized logically in two categories, Domain Level roles and Forest Level roles.

FSMO Roles and Categories:











FSMO Roles functions and impact when unavailable:

Schema Master Role: The schema master role holder Domain Controller is responsible to control all updates and modifications to the schema (e.g. user name, company name, email address, department name etc..). Once the schema update is completed, it is replicated from Schema Master domain controller to all other domain controllers in the domain network or forest. To update the schema of a forest, you must have schema admin privileges.

Schema Master role is Forest Level role and there can be only one schema master in a forest.

Impact, if Schema Master Domain Controller is down? Modification to schema objects may not be replicated to other domain controllers in your network. Addition of any new application or server which requires schema modification like, Exchange server, Lync Server etc. will not take place.

Domain Naming Master Role: The domain naming master role holder domain controller is responsible for controlling the addition and removal of domains in the forest. This domain controller is the only one which can allow addition or removal of domain from in the forest.

Domain Naming Master role is Forest level role and there can be only one domain naming master in a forest.

Impact, if Domain Naming Master Domain Controller is down? You can not add new domain in the forest and also you will not be able to remove exiting domains from the forest. Unless you have domain addition and removal kind of activities, there is going to be no impact on your running production.

RID Master Role: The RID Master role holder domain controller is responsible for assigning unique identity number to all the objects created in Active Directory. Whenever any object created and joined in Domain, RID master domain controller is responsible to assign a unique identity number to that object whether it is a computer, printer, user or group etc...

The RID Master role is Domain Level role and there can be more than one RID Master in a forest.

Impact, if RID Master Domain Controller is down? When this domain controller is down, there is no quick impact going to take place because all the Domain controllers by are assigned with 500 RID pool. Even if the RID Master is down, you would be able to create or add new objects in AD till the time you have the RID pool of 500. Once this RID pool is completely occupied, you would no more be able to create or add any additional objects in AD.

To check how many RID pools are available on your domain controller, you can use below command (search for the value RIDManager term once the command is completed).

Dcdiag /test:ridmanager /v

Infrastructure Master Role: The Infrastructure Master role holder Domain Controller is responsible for cross-domain reference check.

Example: We have a security group ‘Finance’ and the user ‘Test-User-1’ is member of this security group. When the user Test-User-1 access the resources where Finance security have access, Infrastructure master role is responsible to validate this information with the help of Global Catalog server.

If any objects or user’s information changes take plane in the domain, Infrastructure master role is responsible for replicating this information to cross domain DCs.

Infrastructure Master role is Domain Level role and there can be more than one Infrastructure master role in a forest.

Impact, if Infrastructure Master Domain Controller is down? Objects changes and updates may not be replicated to cross-domain DCs. Means, if you have shared folder access on a folder where a security group from cross-domain DC is having access and you are just member of that security group, you may not be able to access the folder or it’s possible that new modification in access rights will not be replicated to other DCs.

PDC Emulator Role: PDC Emulator FSMO role holder Domain Controller is responsible for replication between NT4 DCs. This DC also hold the password update and replication authority. When any password changes or update occurs in the domain, PDC emulator is responsible for updating the password update information to all other DCs in the forest.

Authentication failures/success, logon attempts, accounts lockout status, group policy changes or modifications preferably updates on the PDC emulator domain controller first.  This DC also handles the primary Time Server (NTP Server) responsibility in the domain environment. Unless you have modified and dedicated time server in your network, PDC emulator domain controller is by default responsible for replicating time update to all domain joined machines or to the machine where it has been pointed specifically.

PDC Emulator role is Domain Level role and there can be more than one PDC emulator in a forest.

Impact, if PDC Emulator Domain Controller is down? This is the one Domain controller which is going to impact sooner than other. Time Sync across domain computers, new password changes update, group policy updates are not going to work till the time this Domain Controller is down. All existing things should work fine but any new changes and update is not going to take place.

Updated: 10-04-2018

Some reference useful KBs from Microsoft

https://support.microsoft.com/en-in/help/223346/fsmo-placement-and-optimization-on-active-directory-domain-controllers

https://support.microsoft.com/en-in/help/197132/active-directory-fsmo-roles-in-windows

Cheers, Please write me back if you have any query or feedback.

3 comments:

  1. Some reference useful LINK
    https://www.itsmarttricks.com/5-active-directory-fsmo-roles-in-windows-server/

    ReplyDelete
  2. hi dear
    how to repair the pdc emulator if it is not working or corrupted
    can u plz explain

    ReplyDelete
    Replies
    1. Hi Bhaskar,

      Thanks for writing back.

      Try to transfer PDC role to other healthy server and see if that works. Please ensure you have complete backup of your AD/ADC before performing any such operations.

      Thanks

      Delete